Merge pull request #2099 from horazont/feature/stop-save_as-from-breaking-out-of-output

Try to prevent writing outside of the output directory
2017-02-28 11:17:44 -08:00 · 2017-02-28 11:17:44 -08:00 · ee643d47d7
commit ee643d47d7
parent f4bce91837 018f4468cc
5 changed files with 105 additions and 6 deletions
--- a/pelican/tests/test_contents.py
+++ b/pelican/tests/test_contents.py
@ -497,6 +497,30 @@ class TestArticle(TestPage):
        article = Article(**article_kwargs)
        self.assertEqual(article.url, 'fedora.qa/this-week-in-fedora-qa/')

+    def test_valid_save_as_detects_breakout(self):
+        settings = get_settings()
+        article_kwargs = self._copy_page_kwargs()
+        article_kwargs['metadata']['slug'] = '../foo'
+        article_kwargs['settings'] = settings
+        article = Article(**article_kwargs)
+        self.assertFalse(article.valid_save_as())
+
+    def test_valid_save_as_detects_breakout_to_root(self):
+        settings = get_settings()
+        article_kwargs = self._copy_page_kwargs()
+        article_kwargs['metadata']['slug'] = '/foo'
+        article_kwargs['settings'] = settings
+        article = Article(**article_kwargs)
+        self.assertFalse(article.valid_save_as())
+
+    def test_valid_save_as_passes_valid(self):
+        settings = get_settings()
+        article_kwargs = self._copy_page_kwargs()
+        article_kwargs['metadata']['slug'] = 'foo'
+        article_kwargs['settings'] = settings
+        article = Article(**article_kwargs)
+        self.assertTrue(article.valid_save_as())
+

 class TestStatic(LoggedTestCase):